By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

if they want to continue protecting sensitive information in 2010 and
beyond.

IT industry analysts say the biggest problem facing database managers today is that the bad guys
are using increasingly sophisticated weapons while the evolution of database security defenses has
remained stagnant. They say more firms should take advantage of advanced database security
techniques to keep personal information about customers and company secrets safe from data
thieves.

Meanwhile, analysts say that Oracle is currently ahead of its chief database rivals -- IBM and
Microsoft -- in the race to provide customers with the types of advanced security features they’ll
need. They add, however, that companies running multiple database management systems (DBMSs) from
various vendors probably need to enlist third-party help in implementing a more holistic database
security strategy.

"We've seen a lot of uptick and increase in both the amounts of data and risks associated with
data stores in database systems," said Jeffrey Wheatman, research director for information security
and privacy with Stamford, Conn.-based Gartner Inc. "But unfortunately, we're not seeing as rapid a
move to protecting those data stores among our client base as we expected."

Database security tips for the future

With internal data theft and increasingly sophisticated hacker attacks on the rise, basic
database security measures like authentication, authorization and access control just aren’t enough
anymore, said Noel Yuhanna, a longtime database management system (DBMS) analyst with Cambridge,
Mass.-based Forrester Research Inc.

Yuhanna said those basic measures need to be reinforced with a comprehensive database security
strategy that incorporates a solid understanding of why each database is being protected, with all
the latest information about regulatory requirements and, where appropriate, advanced database
security techniques such as encryption and data scrambling or masking, auditing, monitoring and
change management.

Forrester says the first step in building a strong database security strategy is establishing a
solid foundation that covers the basics of authentication, authorization, access control, data
discovery and classification – and perhaps most important, solid patch management practices.

"Most organizations don’t have good patches installed on their systems," said Yuhanna, who
recently wrote a paper on database security strategies for 2010. "About 65% to 70% of organizations
do not deploy patches on a regular basis."

Many organizations today have such an abundance of databases that they’ve lost track of what
each one contains, he said, which is why database discovery and classification is becoming more
important. The analyst said companies should regularly inventory both production and non-production
databases and then categorize those databases based on which ones contain sensitive information and
which security measures should be followed.

The next step in building a solid security strategy is taking preventive measures with
encryption, data masking and change management. Yuhanna said that encryption should be used
primarily in production databases, with data masking appropriate for non-production databases,
which are commonly used for testing, development and training. The difference between the two is
that encrypted files can be decrypted by users with proper privileges, whereas data masking or
scrambling typically jumbles data permanently. Yuhanna said both measures will go a long way toward
protecting sensitive data from prying eyes.

"Only 16% of organizations are doing data masking, but this number has doubled over the last two
years," he said. "[Data masking] is definitely gaining ground, and we are certainly recommending
that customers put together a data masking strategy."

DBAs and other information technology professionals who were interviewed said they agreed that
it’s a good idea to mask data whenever possible. DBAs and application developers, they explained,
often make copies of production databases and move that information to non-production databases for
testing purposes. Once in a non-production environment, that data can become more vulnerable to
internal data theft.

"A DBA has no need to look at the content of the data," said one longtime DBA from Alexandria,
Va., who asked that his name be withheld. "Their job is simply to make sure that the database is
operating and providing services."

Change management, a systematic approach to dealing with changes inside the IT architecture, is
also a good way to keep vulnerabilities out of production databases. Yuhanna said companies should
require that changes to schema structures follow formal procedures, which include documentation and
approval processes.

The last major component of a solid database security strategy is the establishment of strong
intrusion detection capabilities through auditing, monitoring and continual vulnerability
assessment, Yuhanna said.

He explained that auditing -- the process of collecting data that tells you how system resources
are being used -- is particularly important because it informs managers about who is accessing
data, when it was accessed, and what changes were made. Analysts said organizations should quickly
launch thorough investigations whenever critical data changes unexpectedly. Monitoring technologies
can also be of help in this area because they can provide "real time" notifications whenever
suspicious activity occurs.

Industry analysts give Oracle higher marks than Microsoft or IBM when it comes to providing
cutting-edge security capabilities on the database tier of the application stack.

Gartner’s Wheatman said Oracle has paid a great deal of attention to security over the last
several years and, as a result, has come out with strong access control, encryption, data masking
and monitoring tools.

"Oracle definitely offers a strong security profile," he said, "and it’s certainly much improved
over where they were a number of years ago."

Wheatman said Microsoft SQL Server has historically lagged other DBMSs from a security
perspective, although he added that the latest version, Microsoft SQL Server 2008, includes
enhancements that could ultimately serve to close the security gap significantly. He said
Microsoft’s Active Directory can provide additional security capabilities for SQL Server, such as
enhanced authentication and access control.

IBM's DB2 doesn’t have quite as many native capabilities as Oracle, Wheatman said. Because DB2
is used extensively in mainframe environments, finding the right third-party software for
performance monitoring and other security-related functions can sometimes be difficult.

"Oracle is now expanding the scope of Audit Vault to more heterogeneous databases," Yuhanna
said. "I think this is good because 90% of organizations today have more than one DBMS."

Database Vault prevents DBAs from viewing sensitive data. Yuhanna said this masking technology
can be helpful for the growing number of companies that want to redefine the role of DBAs by
limiting their access to data and, ultimately, lowering the chances that insiders will be tempted
to steal information.

Oracle hasn't had quite as strong a focus on providing masking technologies for non-production
databases, but Yuhanna said he expects that to change.

Guardian Software, Camouflage Software Inc. and Informatica Corp. are examples of third-party
software companies that provide automated masking capabilities similar to Database Vault. Firms can
also develop in-house applications to mask data, Yuhanna said, but that process can require a great
deal of manual effort.

Oracle's efforts to improve database security have also spilled over into its business
applications. The company has been expanding some of its database security tools and integrating
them with other systems, Yuhanna said. For example, he noted, data masking capabilities are
available within the Oracle E-Business Suite, PeopleSoft CRM, JD Edwards and Siebel applications.
This is important because many outside attacks on data stores come through the applications
tier.

"They are obviously expanding their applications like Oracle E-Business Suite to be able to
secure data and have better access control over privileges and patches," Yuhanna said.

Database security lessons learned

To avoid internal and external data
security threats, he said, organizations will have to take the time to reexamine their database
security strategies, continually make changes where necessary and, above all, avoid database
security complacency.

"Many organizations [think] that if you do auditing and monitoring of databases, that alone is
good enough when it comes to security," Yuhanna said. "But that is obviously a false
perception."

The Open Data Platform has arrived, but not all Hadoop vendors are on board. The initiative, aimed at boosting interoperability, formed a backdrop for discussion at the Strata + Hadoop World 2015 conference.